Why does it matter if Firefox ran as root or not? I agree it's terrible practice in principle. But most people will run Firefox as their ordinary user, which normally has full access to the files in their home directory.
If someone gets arbitrary code execution under your user, they can erase/encrypt your files. Who cares if the OS files are safe. All the data you really care about will be gone.
agree. ordinary user is absolutely sufficient.
I'll now present a sophisticated privilege escalation method that most of us won't notice (me included, sarcasm off):
alias sudo='/usr/bin/sudo echo something evil && /usr/bin/sudo'
I don't think it matters that he used his root account.
As an attacker, I test for sudo -n. If it succeeds, I have root. In most cases I do not need it however. SSH key trusts, SSH multiplexing and bad posix permissions are more than enough to get me anywhere and grab anything.
If they have access to your .bashrc they can also alter your PATH and create a script named sudo somewhere they have write access to that carries the malicious payload. So you're not gaining much by adding the quotes.
There may be things an exploit can do as root that wouldn't work under your user to break out of the adobe flash "sandbox". But yeah, the real recommendation is to get rid of flash and kill it with fire. The security of free software isn't fullproof but good riddance from the web to that particular closed source blob.
The whole point of security and good practices is to make harder for those arbitrary codes to be executed (or for whatever other flaws to be exploited, until they're fixed). Running a browser as root is not good practice. Doesn't mean that something bad will happen, but it's more or less line laying the cheese on the ground and expecting mice not to go after it. Even if you have none around, you just shouldn't risk it. At all. Unless you know exactly what you're doing.
This is why I wish people took mandatory access control more seriously. But to make it really pervasive and useful you need something like what Android has, where the file format mandates MAC profiles for the app. Even Red Hat cannot maintain SELinux profiles for every package in every repo, and even then third parties would complain about having to write the profiles just for RHEL / Fedora packages.
It is something the entire ecosystem would have to, at once, agree to make happen, and then standardize mandated MAC profiles in every package format. So basically never.
If someone gets arbitrary code execution under your user, they can erase/encrypt your files. Who cares if the OS files are safe. All the data you really care about will be gone.